Announcement

Collapse
No announcement yet.

Intel AES-NI For Full Disk Encryption

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel AES-NI For Full Disk Encryption

    Phoronix: Intel AES-NI For Full Disk Encryption

    Last week I published benchmark results of using Intel AES-NI for Ubuntu home directory encryption, but the benefits of using this new x86 instruction set found on the latest Intel and AMD (as of today's Bulldozer launch) processors was minimal for this eCryptfs-based solution. Continuing in the AES-NI investigation under Linux, today are benchmark results when using AES-NI for full-disk encryption with dmcrypt.

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    How does this compare to stock?

    Ie how much of a performance hit does encryption have?

    Comment


    • #3
      Originally posted by FireBurn View Post
      Ie how much of a performance hit does encryption have?
      Not much. I've setup dmcrypt on my home partition (it was a separate partition, anyway), and there isn't any noticeable performance difference, even on a lowly E-350 without AES instructions.

      Here's an article which suggests that eCryptFS doesn't affect performance much:
      Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite



      Though, if you have the choice, dmcrypt is always preferable to eCryptFS. It's slightly faster, less buggy due to a simpler design, and will also encrypt meta information like filenames, so your attacker won't see whether there's a folder named ~/goat_porn/ with 179489 files in it, or that just yesterday you've worked on job_application_to_$competitor.odt

      Anyway, if you're using a laptop storing confidential or private information, encrypting your home partition is well worth it. Not so much on a single-user desktop - it'll only protect against someone gaining physical access to the hard drive, not against remote attacks on a system where the encrypted drive is mounted and accessible.

      Comment


      • #4
        Huh, ecryptfs really sucks in comparison to dm-crypt. Much more than I thought.

        Comment


        • #5
          How to load aesni module?

          Hi,

          I've an laptop running Fedora 16 with an CPU which supports aesni, but no module named aes is loaded, how can I test if the aes instructions are used or force it?

          [chris@thinkpad ~]$ uname -r
          3.1.0-0.rc9.git0.0.fc16.x86_64
          [chris@thinkpad ~]$ grep aes /proc/cpuinfo | wc -l
          4
          [chris@thinkpad ~]$ lsmod |grep aes
          [chris@thinkpad ~]$ sudo modprobe aesni-intel #shows no error
          Swipe your right index finger on UPEK Eikon 2
          [chris@thinkpad ~]$ lsmod |grep aes #but still no module loaded
          [chris@thinkpad ~]$

          Comment


          • #6
            FWIW, aesni-intel is built into all Fedora x86-64 kernels since 2.6.37-git12 (Jan 15 2011) and all i386 kernels since June.

            The CPU support for it isn't so new, is it? My 2010 model Vaio Z - Core i5-520M - has it.

            Comment


            • #7
              Originally posted by chrisj View Post
              Hi,

              I've an laptop running Fedora 16 with an CPU which supports aesni, but no module named aes is loaded, how can I test if the aes instructions are used or force it?

              [chris@thinkpad ~]$ uname -r
              3.1.0-0.rc9.git0.0.fc16.x86_64
              [chris@thinkpad ~]$ grep aes /proc/cpuinfo | wc -l
              4
              [chris@thinkpad ~]$ lsmod |grep aes
              [chris@thinkpad ~]$ sudo modprobe aesni-intel #shows no error
              Swipe your right index finger on UPEK Eikon 2
              [chris@thinkpad ~]$ lsmod |grep aes #but still no module loaded
              [chris@thinkpad ~]$
              See my post - it's already built into the kernel. Unless there's some config file you have to poke, it's already being used.

              Comment


              • #8
                btw, finding out the above was a great example of how awesome git is. Check this:

                [adamw@adam kernel (f16 *%)]$ git log --pretty=oneline -S'AES_NI_INTEL'
                9765980dfcba8e290b18190f68928ca3e9b8d6c8 Bring in Linux-3.1-rc2
                db49e9edd88a3f41e7c5f249c26583c579a41bb1 update to snapshot 2.6.38-git19
                ee6c061eb9517d21067cab44eeadec08b91cbd7a snapshot 2.6.37-git12
                7a32965a104c3363e8505fe566531fcf071cced7 initial srpm import

                yes, git can give you a list of every commit which includes a change containing a given string - so any commit which added, deleted or modified a string containing AES_NI_INTEL in the above case. git for life!

                Comment


                • #9
                  Originally posted by AdamW View Post
                  FWIW, aesni-intel is built into all Fedora x86-64 kernels since 2.6.37-git12 (Jan 15 2011) and all i386 kernels since June.

                  The CPU support for it isn't so new, is it? My 2010 model Vaio Z - Core i5-520M - has it.
                  OK, good to know, than I don't have to care about it any longer, I've only found bug reports and that AES_NI_INTEL has been disabled, thanks!

                  Comment


                  • #10
                    a comparison to bulldozer would be nice!

                    Comment

                    Working...
                    X